From 87168d66ea9dfbf6a58d8c973754a61ed7e5b751 Mon Sep 17 00:00:00 2001
From: Joren <joren@noreply.localhost>
Date: Fri, 16 May 2025 10:26:18 +0200
Subject: [PATCH] Add rules.xml

---
 rules.xml | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 rules.xml

diff --git a/rules.xml b/rules.xml
new file mode 100644
index 0000000..f2efc22
--- /dev/null
+++ b/rules.xml
@@ -0,0 +1,73 @@
+<!-- CGFW Firewall Activity Rules -->
+<group name="cgfw-firewall-activity">
+  
+  <!-- Rule: Detect Blocked Traffic -->
+  <rule id="100101" level="8">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="Type">DROP|DENY|REJECT</field>
+    <description>Blocked traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
+  </rule>
+  
+  <!-- Rule: Detect Allowed Traffic -->
+  <rule id="100102" level="4">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="Type">ALLOW</field>
+    <description>Allowed traffic detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) user=$(User)</description>
+  </rule>
+  
+  <!-- Rule: High Bandwidth Usage -->
+  <rule id="100103" level="5">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="SentBytes">[1-9][0-9]{7,}</field>
+    <description>High bandwidth usage detected: srcIP=$(srcip) -> dstIP=$(dstip) sentBytes=$(SentBytes) application=$(Application)</description>
+  </rule>
+  
+  <!-- Rule: Large Number of Packets Sent -->
+  <rule id="100104" level="5">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="SentPackets">[1-9][0-9]{5,}</field>
+    <description>Large number of packets sent: srcIP=$(srcip) -> dstIP=$(dstip) sentPackets=$(SentPackets) application=$(Application)</description>
+  </rule>
+  
+  <!-- Rule: Unauthorized Protocols -->
+  <rule id="100105" level="7">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="L4Protocol">FTP|Telnet</field>
+    <description>Unauthorized protocol detected: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) user=$(User)</description>
+  </rule>
+  
+  <!-- Rule: Unauthorized Access Attempts -->
+  <rule id="100106" level="8">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="FirewallRule">BLOCKED-ACCESS</field>
+    <description>Unauthorized access attempt detected: srcIP=$(srcip) -> dstIP=$(dstip) rule=$(FirewallRule) user=$(User)</description>
+  </rule>
+  
+  <!-- Rule: Traffic to High-Risk URL Categories -->
+  <rule id="100107" level="9">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="URLCategory">Malware|Phishing|Proxy Avoidance</field>
+    <description>Traffic to high-risk URL category detected: srcIP=$(srcip) -> dstIP=$(dstip) category=$(URLCategory) content=$(Content)</description>
+  </rule>
+  
+  <!-- Rule: Internal to External Traffic Detection -->
+  <rule id="100108" level="3">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="SourceInterface">Internal</field>
+    <field name="DestinationInterface">External</field>
+    <description>Internal to external traffic: srcIP=$(srcip) -> dstIP=$(dstip) interface=$(SourceInterface) -> $(DestinationInterface) user=$(User)</description>
+  </rule>
+  
+  <!-- Rule: Suspicious Long Session Duration -->
+  <rule id="100109" level="5">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <field name="Duration">[3-9][0-9]{3,}</field>
+    <description>Suspicious long session duration: srcIP=$(srcip) -> dstIP=$(dstip) duration=$(Duration) seconds application=$(Application)</description>
+  </rule>
+  
+  <!-- Default Catch-All for Any Remaining Logs -->
+  <rule id="100110" level="4">
+    <decoded_as>cgfw-firewall-activity</decoded_as>
+    <description>Barracuda Firewall general event: srcIP=$(srcip) -> dstIP=$(dstip) protocol=$(L4Protocol) rule=$(FirewallRule) application=$(Application)</description>
+  </rule>
+</group>